Every unit at UAB with devices connected to the UAB campus network should have a "network contact" person, even if there is no department server or local area network. At least one person within your department should be designated to be responsible for communicating your requests to DC/NS, and for assisting network users with basic configuration, software installation, computer training, and problem solving.

Designate an official "network contact" person for your department.

Each department or unit at UAB should have an officially designated "network contact" person.

The dean, chairman or director designates who is to serve as "network contact" for your unit. The dean, chairman or director should send either a written memo or an e-mail message touserservices@uab.eduindicating who is to be considered the official contact person.

If the "network contact" person is not a UAB employee, the department should additionally designate a contact person who is a UAB employee.

The "network contact" person should have access to a UAB e-mail account (hostname ends in uab.edu). All requests to DC/NS must be submitted via e-mail (userservices@uab.edu), and for security reasons these must originate from a server registered through DC/NS.

Notify DC/NS when there is a new "network contact" person, or other changes in responsibilities.

When there is a change in personnel or responsibilities within your department, DC/NS should be notified. The previous "network contact" may send a message touserservices@uab.eduintroducing the new person. If no replacement arrives before the old person departs, the last "network contact" should hand this function to their supervisor or other person in the department, who will then hand the job to the replacement person when they arrive. IP records, and any other records, should be turned in to the department for safekeeping.

If the "network contact" left UAB without notifying DC/NS, the dean, director or department head should contact DC/NS with the name of the replacement contact person.

A domain name such as the one described above is called a third-level domain name. There is a $500 one-time fee for creating new third-level domains. There is no additional charge for registering names within the domain once it is set up. Third-level domain names should be requested by the department network contact.

Please send requests for third-level domain names to UserServices@uab.edu and include an FAS account number to bill. register the name.

Faculty, staff and students who are involved in professional, academic, or student-social organizations are sometimes interested in hosting a web site for their group and want to use a domain name that does not end in uab.edu.

SOLUTION:

UAB cannot provide DNS (Domain Name) service for domains other than uab.edu. However, what we can do is register an on-campus server with a uab.edu name, and then you can arrange for an outside Internet Service Provider (ISP) to provide the name www.alabama_engineers.org and point it to your UAB server. The end result is that someone who types the URL www.alabama_engineers.org into their web browser will be taken to the organization's home page, which may happen to be sitting on a computer housed at UAB. Most ISP's charge a small fee for providing you with this service.

Make sure the system is disconnected from the network. This is to protect UAB from any additional impact from the incident.

Determine the affected data.

Confirm whether or not sensitive data was housed on the compromised device. This includes employee, student, patient, or research data. Determine if any sensitive data was inappropriately accessed. If so, immediately escalate to both your local management and the UAB Data Security (https://silo.dso.uab.edu/incident or call 205-975-0842).

If sensitive data is at risk, do not perform additional activity until you have spoken with Data Security.

Perform Root Cause Analysis

Establish the reason that the system was exploited. Ask yourself these questions:

Did an end user install something harmful?

Was it caused by a weak password?

Was the system missing a patch?

Remediate the issue

The best way to restore a compromised machine is frofm a trusted backup or to do a clean installation. Even what used to be routine virus infections have become so advanced that we cannot trust a system once it's been infected.

Perform password changes for end users and any administrators that may have used the system as well. This includes BlazerIDs and other accounts such as websites that were accessed from the compromised machines. Local Administrator passwords should also be changed.

Reconnect to the network

Once the system has been properly remediated, UAB Data Security, in conjunction with the HIPAA Security Office, will reconnect the machine to the network. This process can take up to 24 hours after the initial request.

If you receive a notice saying the machine was compromised, the best way to get reconnected is to reply to that email.

If you are dialing into the system from a different number,(other than your mailbox number), press the "*" key next and you will be prompted to enter your seven digit mailbox number followed by your passcode. This allows the server to match your passcode to the correct mailbox number.

Designate appropriate individuals with system administration responsibilities, ensuring that their role in securing the system is defined in their job description, and that they are trained in administration and security of the system.

Ensure adherence to UAB guidelines and procedures for protecting data as found in IT Security Practices.

Ensure that risk assessments are performed (including disaster recovery plans, backup and contingency plans) as required by HIPAA for all PHI. Risk assessment is recommended for all other sensitive or mission critical data.

Ensure that documentation of data resources created, used, or stored within their area of control is maintained.

Ensure that the department/unit follows procedures to mitigate all identified compromises or identified data security threats.

Ensure that actual or suspected data security breaches, especially when involving sensitive data, are reported to the Data Security Office immediately and that any recommended corrective action is implemented.

Ensure that non-UAB entities or contracted third party vendors handle data in accordance with UAB policies and procedures.

Departmental IT representatives at UAB can bring discs, along with the UAB Secure Media Destruction Chain of Custody Form, to the AskIT Help Desk location at CEC 225.The discs are stored securely until they are picked up by Desktop Support staff. They are delivered to the Waste Holding Facility to be destroyed using the metal shredder.

PGP Deployment Strategy

Create a resource account on the UAB domain under your OU (AskIT can assist you with this). You typically want this to represent your department and PGP (e.g. SOPH-PGP or SOM-PGP).

Login to the laptop and add a PGP account.

If the laptop is on the UAB domain, add the resource account to the administrators group and proceed through the installation documentation while using that account.

If the laptop is on a different domain or no domain at all, you can create a new admin and install PGP with that account.

When you are prompted to enroll with the PGP server, provide the resource or admin account credentials. This creates a recovery token that you can request to gain access to the machine (should you ever find yourself locked out of the system).

When the installation is complete, you will need to add the user(s) to PGP with their normal login credentials and when the login, they will enter their BlazerID credentials in the enrollment screen (this generates a recovery token in case they ever have password issues).

Remove the resource account from the administrators group at the end of the process. Removing admin rights from the PGP resource account ensures that if the password for either your domain admin account or PGP resource account is ever compromised, that the account only runs at a user level (additionally, compromised domain admin credentials don’t grant access to every encrypted laptop). To work on the system, you would have to input the PGP password, choose “Logout”, and then enter the admin account credentials.

How Different PGP Components Address Different Needs

PGP Whole Disk EncryptionEncrypts the whole hard drive or USB drive. Removable devices are not readable on a system unless PGP is installed. This option is most useful in cases where blanket encryption is needed.

PGP Virtual DisksCreates a virtual drive (.pgd) that is only mountable on a system with PGP. A virtual disk can be added to portable drive to provide secure storage for sensitive information without forcing the entire drive to be encrypted. This gives the user the power to use the drive on systems without PGP, thus leaving flexibility intact and providing security for sensitive information because it cannot be accessed without PGP.

PGP Zip ArchivesCreates a compressed and encrypted archive of files that in most cases can only be accessed on a system with PGP. If the user has PGP installed on a PC, then they are able to create “Self Decrypting Archives”. This particular archive type allows anyone with the passphrase to extract the secure contents of the file without having PGP installed. Self-decrypting archives are particularly useful when users need to move sensitive data and PGP may not be available at the destination.

PGP In-Depth

InstallationDuring setup, the system must must have access to the Internet or the UAB campus network in order to authenticate on the key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter a BlazerID or resources account as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your BlazerID that will include information about the computer you are encrypting.

PasswordsUnless the BlazerID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen. If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.

Accounts

WindowsOn a PC installation of PGP, single sign-on is used and accounts are verified. When you add a passphrase user to PGP, it will require that a strong password is used and that it matches the account password on the machine. If the user doesn’t exist or it has a blank password, you will receive an error message and the user will not be added. The relationship between PGP and Windows accounts is limited to those that exist and adding or removing a user in one location does not change the state of the other location. So if you remove a Windows user account, the entry will still exist and work in PGP but single sign-on will not be possible.

Mac On a Mac installation of PGP, single sign-on is not used and the passphrase users in PGP are not tied to any operating system accounts. This is due to the fact that PGP writes to a preference file under the profile that installs PGP and does not add any important configuration info to the main preferences folder or user folders. Because the preferences are different for every user, when a user other than the one that installed PGP attempts to load the software, they are treated as if they are not licensed and that there is no known key-server. This is now corrected by an application and documentation that is added to installer file under “PGP-User Enrollment.app”.

So when you consider the behavior of PGP for Macs version 9.9 you could view each passphrase user as nothing more than a password that will get you past the PGP Bootguard screen.

Encryption

If the policy (configuration) of your PGP client requires that the primary hard drive is encrypted, the process will begin once you have added a passphrase user and complete the configuration steps. Regardless of whether you start the encryption automatically or manually, the software first creates a Whole Disk Recovery Token on the server under your BlazerID, and then it installs the PGP Bootguard.

WindowsOn a Windows system installing the Bootguard means that the software creates a backup of the MBR and then installs a PGPMBR in its place. This is the point where dual-boot systems normally break (the other components of PGP don’t cause this).

Mac On an Intel-Mac, the Extensible Firmware Interface (EFI) normally hands off to the GUID Partition Table (GPT). But when a Mac is encrypted with PGP, the EFI is backed up and replaced by one that loads the encryption software. This is also the point where Bootcamp is broken.

From this point on, the PGP Bootguard screen is installed and a valid passphrase must be provided before the drive can be accessed. If the drive is removed or booted in an alternate method, the data can’t be accessed or read unless it is on a machine with PGP and a valid passphrase is used to unlock the device.

Recovery TokensIf you or a user is ever locked out of a machine for whatever reason, you can call AskIT and they can give you the recovery token for your username on that system. The recovery token is a string of 28 characters (dashes are optional) that will provide access beyond the PGP Bootguard screen but will not let you in the operating system. If you don’t have any passwords to the system that can grant you access as an administrator, then you should consider decrypting the drive with the proper PGP boot disk or from an encrypted workstation and then go through your normal recovery procedures. Once a recovery token is created, an entry is logged on the server and the system is flagged as needing a new WDRT. If you successfully login to the account that the WDRT was for, the client will then attempt to negotiate the creation of a new WDRT with the server (which requires a network connection to the server).

Troubleshooting Tips

Update the System Time

If the system time is out of date, PGP may not be installed correctly. If you have already installed PGP before updating the system time so that it is automatically synchronized, you may receive error messages such as "This configured PGP install requires an enterprise license," or notice that PGP is not functioning properly. In order to resolve this issue you will need to update the system time and completely reinstall PGP. Follow the steps below to update system time on a Windows machine:

Open the "Date and Time Properties" by double-clicking on it in the task bar, or by clicking on "Start," selecting "Control Panel" and choosing "Date and Time" (it may be under "Date, Time, Language and Regional options).

Correct the date and time information, then click "OK" to save changes.

Correcting Networking Issues Caused by PGP

Install PGP

Go to C:\Windows\system32\PGPIspRollback.reg

Right-click the file and choose Merge

Restart the PC

Completely Resetting PGP (Windows)

CAUTION: DO NOT RESTART THE PC BETWEEN ANY STEPS

Be sure that the computer is online and can connect to the Internet.

Exit any running instance of PGP or PGP Services.

Open regedit and go to HKLM\SOFTWARE\PGP Corporation\PGP. Change PGPSTAMP to be ovid=keys.it.uab.edu&admin=1

Restart PGP by clicking on Start->PGP->PGP Desktop. Be sure you enter your BlazerID credentials on the enrollment screen and select "New User".

Hard Drive RecoveryIf you have the drive slaved to a working machine with the same version of PGP Desktop try the following:

Open a CMD prompt.

Go to: c:\Program Files\PGP Corporation\PGP Desktop\

Run pgpwde -enum (this will list all the drives available on your machine, find the drive number for the encrypted drive, the first will be disk 0 (your boot drive) then disk 1, then disk 2 and so on)

Once you have your disk number, try: pgpwde disk #(one u found) --recover (so if its disk 1 it would be: pgpwde --disk 1 --recover), the pgpwde will search your disk for a backup sector, if it finds one it will restore it.

If it restores the sector, then do: pgpwde --disk # --decrypt --passphrase “enter within double-quotes”

Open PGP Desktop and select Tools>View Log. Set “View Level” to Verbose.

If the application is crashing prior to launch, click Start->Run and type "%appdata%"

Once you have your Application Data folder up, open "PGP Corporation", then open "PGP".

You should see "PGPlog.txt" with debug logging data in it.

PGPWDE Command Line

Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.

WindowsThe PGP WDE command line utility is installed at C:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe on Windows machines and "pgpwde --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the PGP Windows Command Line Guide at: https://supportimg.pgp.com/guides/PGPwdeWinCmdline_991_usersguide_en.pdf

There is certain information you are not allowed to update for your listing in the electronic phonebook. To update items like department, job title, campus address, or telephone number, consult the HR and administrative person in your office. He/she can submit an ACT form to have these items updated for you.

For UAB employees:

Each UAB employee shall be accountable for current and accurate electronic phonebook listings.

Accuracy is critical in order for both all UAB and Health System employees to be contacted. Failure to comply shall result in misdirected calls and erroneous information.

The process for individuals to verify and/or update listing information is as follows:

Follow online instructions to query the phonebook for your individual listing. The results should list the individual requested.

To verify or make changes to the individual listing, click on the name field. The individual listing information will be displayed.

To make changes to the information listed, click the Change Information button.

Enter your BlazerID and password.

If you have forgotten your BlazerID password, you must complete the BlazerID password reset form at http://www.uab.edu/blazerid or contact AskIT at 996-5555.

Fields with blue buttons can be modified online by the individual.

Fields with red buttons are not modifiable online and are provided from official UAB/HSF records. If you are an HSF employee and wish to make changes to fields with red buttons, you must contact one of the HR specialists at the Human Resource Center at 731-9600.

You can click on the help icon next to each field to determine which office supplied the particular information.

If you are an HSF employee and wish to change your office phone number(s) and/or physical office location, contact an HR specialists at the Human Resource Center at 731-9622.

All other personnel changes, such as Department Name or Title, must be submitted by a departmental supervisor using the personnel action form process.